Analysis
-
max time kernel
68s -
max time network
71s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
26-09-2021 17:30
Static task
static1
Behavioral task
behavioral1
Sample
b3b10c7691460d37601ea3feef02c2be230fb98bca7eecae4e39d45e724c4a05.exe
Resource
win10v20210408
General
-
Target
b3b10c7691460d37601ea3feef02c2be230fb98bca7eecae4e39d45e724c4a05.exe
-
Size
124KB
-
MD5
7f97f16bef7560633680c07abb9d1a3d
-
SHA1
605a5d2749fbc45e4fc614c57d1897f66bbe3752
-
SHA256
b3b10c7691460d37601ea3feef02c2be230fb98bca7eecae4e39d45e724c4a05
-
SHA512
13d0357ac3cf947069d71c6103c6c3d58adc59506d995fe9b930b910d71fdca65d17d68566213cc32bab422e6e15964c51bac6a994143f811304062ef185669c
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
sihost.exepid process 2436 sihost.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
b3b10c7691460d37601ea3feef02c2be230fb98bca7eecae4e39d45e724c4a05.exesihost.exedescription pid process target process PID 628 wrote to memory of 744 628 b3b10c7691460d37601ea3feef02c2be230fb98bca7eecae4e39d45e724c4a05.exe schtasks.exe PID 628 wrote to memory of 744 628 b3b10c7691460d37601ea3feef02c2be230fb98bca7eecae4e39d45e724c4a05.exe schtasks.exe PID 628 wrote to memory of 744 628 b3b10c7691460d37601ea3feef02c2be230fb98bca7eecae4e39d45e724c4a05.exe schtasks.exe PID 2436 wrote to memory of 2520 2436 sihost.exe schtasks.exe PID 2436 wrote to memory of 2520 2436 sihost.exe schtasks.exe PID 2436 wrote to memory of 2520 2436 sihost.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b3b10c7691460d37601ea3feef02c2be230fb98bca7eecae4e39d45e724c4a05.exe"C:\Users\Admin\AppData\Local\Temp\b3b10c7691460d37601ea3feef02c2be230fb98bca7eecae4e39d45e724c4a05.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:628 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe"2⤵
- Creates scheduled task(s)
PID:744
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe"2⤵
- Creates scheduled task(s)
PID:2520
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exeMD5
7f97f16bef7560633680c07abb9d1a3d
SHA1605a5d2749fbc45e4fc614c57d1897f66bbe3752
SHA256b3b10c7691460d37601ea3feef02c2be230fb98bca7eecae4e39d45e724c4a05
SHA51213d0357ac3cf947069d71c6103c6c3d58adc59506d995fe9b930b910d71fdca65d17d68566213cc32bab422e6e15964c51bac6a994143f811304062ef185669c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exeMD5
7f97f16bef7560633680c07abb9d1a3d
SHA1605a5d2749fbc45e4fc614c57d1897f66bbe3752
SHA256b3b10c7691460d37601ea3feef02c2be230fb98bca7eecae4e39d45e724c4a05
SHA51213d0357ac3cf947069d71c6103c6c3d58adc59506d995fe9b930b910d71fdca65d17d68566213cc32bab422e6e15964c51bac6a994143f811304062ef185669c
-
memory/628-114-0x00000000004B0000-0x000000000055E000-memory.dmpFilesize
696KB
-
memory/628-116-0x0000000000400000-0x00000000004A6000-memory.dmpFilesize
664KB
-
memory/744-115-0x0000000000000000-mapping.dmp
-
memory/2436-121-0x0000000000400000-0x00000000004A6000-memory.dmpFilesize
664KB
-
memory/2436-120-0x0000000000500000-0x0000000000504000-memory.dmpFilesize
16KB
-
memory/2520-119-0x0000000000000000-mapping.dmp